Code Grey: The Race to Secure Medical Records
As we find ourselves ever more interconnected in the digital age, the issue of cybersecurity has become a critical concern. Our personal data, medical records, financial details, and so much more are being collected and stored online at an unprecedented scale. While this digital transformation has brought about many conveniences, it has also given rise to significant vulnerabilities. Accidental data exposure, cyberattacks, and massive breaches orchestrated by cybercriminal gangs have become all too common. Our increasingly digital lives necessitate robust and proactive cybersecurity measures.
I want to discuss an experience that highlights these cybersecurity concerns in a very tangible way. Earlier this year, I stumbled upon a disturbing example of this very issue while conducting a routine scan using an IoT search engine: Two different medical clinics had ultrasound devices that were publicly exposed and accessible without authentication. This resulted in nearly 50,000 image studies — everything from ultrasounds of joyous first glimpses of babies to images that were very private and sensitive (note that I only witnessed very few descriptions, and never attempted to look at the images themselves). The data also included names, birthdates, medicare numbers, and other private information.
Naturally, this is a big deal. Medical and personal records are supposed to be confidential. If they fall into the wrong hands, serious damage can occur. From identity theft to insurance fraud, or even blackmail, the risks are numerous and significant.
Upon discovering this, I immediately contacted both clinics privately. One clinic acted promptly, securing the exposed data. However, the response from the other clinic was less than ideal. Despite my alert, they did not secure their device immediately.
In my worry for the unsecured data, I decided to contact the press, hoping to spark action. In hindsight, involving the authorities directly would have been a better decision. Lesson learned!
My attempt to accelerate did shake things up, but not as expected. Fearing a negative press article, the clinic threatened legal action, citing ‘defamation’ and suggesting that I could be held liable for any damages they incurred.
After discussing this with my lawyers, it became clear the clinic had little legal ground to stand on. Even so, to avoid the stress and time involved in a potential lawsuit, I requested that the news article be cancelled.
This situation raises an important question: How is it that we live in such an advanced digital age, yet still face such blatant cybersecurity risks? The answer, in part, lies in the gap between technological advancement, regulation, and the provision of tools and education necessary to secure data. Let’s skip regulation for now. Medical clinics, amongst other organisations, aren’t always equipped with the resources and knowledge necessary to securely manage data, even though they’re the ones ultimately responsible for its protection.
It also highlights the crucial role that manufacturers and vendors play. It is important that manufacturers build devices and software that alert users when they are configured insecurely. Vendors, too, have a vital role in educating buyers about the importance of secure configurations and good cybersecurity practices.
This brings us to regulation. In our current era, with the growing prevalence of digital information and the vast potential for misuse, it’s my belief that broader and more stringent regulation is not only inevitable, but necessary. Unless major changes occur — a scenario that, frankly, seems unlikely given the current trend — government intervention will be required to protect consumers and ensure the security of sensitive data.
It’s instructive to look back in history and observe how government regulations often arise in response to systemic market failures. For example, consider the establishment of environmental regulations like the Clean Air Act and Clean Water Act in the United States. These were introduced when it became clear that industries alone were unable to sufficiently curb pollution and protect our natural resources.
Similarly, in the realm of consumer protection, regulations like the Fair Credit Reporting Act (FCRA) and the Consumer Product Safety Act were brought into existence when market forces failed to adequately safeguard consumers.
Some regulations such as GDPR and CCPA have gone into effect pointing to a growing recognition of the need for data protection and cybersecurity regulation.
General Data Protection Regulation (GDPR) in the European Union, implemented in 2018, set new standards for data protection, privacy, and consent, granting individuals greater control over their personal data. While not exclusively focusing on cybersecurity, the regulation has had significant impacts in that area by forcing organizations to implement stronger measures to protect personal data.
Similarly, the California Consumer Privacy Act (CCPA), which went into effect in 2020, represents another substantial step toward more stringent data protection regulation in the United States. The CCPA gives California residents more control over their personal information, including the right to know what data is being collected about them, the right to delete personal information held by businesses, and the right to opt-out of the sale of their personal information.
We’re also seeing an increasing number of discussions about national privacy and cybersecurity laws in many countries, further underlining the shift toward more government intervention in this space.
We find ourselves in a delicate position. The data we freely give away holds immense value, but the protection of that data has not kept pace with its collection. Securing our digital future is a responsibility we all share. Whether as individuals, corporations, or governments, we each have a role to play in making the digital world a safer place. The experiences I’ve shared today underline the urgency of this task. We must act with commitment and collaboration to ensure the benefits of our increasingly digital lives don’t come at the expense of our privacy and security.
